Patch to fix samba 3.5.15 domain security

John Wehle john at
Fri May 4 17:02:00 MDT 2012

Consider the following working samba 3.3.9 configuration:

  machine1 smb.conf                       machine2 smb.conf
  [global]                                [global]
   ...                                    ...
   domain master = yes                    domain master = no
   local master = yes                     local master = no
   preferred master = yes                 preferred master = no
   os level = 65                          os level = 65
   workgroup = WORKGROUP                  workgroup = WORKGROUP
   security = user                        security = domain
   domain logons = yes                    password server = machine1
   encrypt passwords = yes
   passdb backend = smbpasswd

A client attempting to access a resource on machine2 will cause
machine2 to contact machine1 in order to authenticate the user.
This allows all the passwords to be maintained in one place.

Everything worked fine with both machines running 3.3.9.

Everything worked fine after upgrading machine1 from 3.3.9 to 3.5.15.
Clients could access resources on machine1 by entering:


Once machine2 was upgraded to from 3.3.9 to 3.5.15 clients were
no longer able to access resources on machine2 by entering:


the log showed:

    Mapping user [CLIENT]\[user1] from workstation [CLIENT]
    Mapped domain from [CLIENT] to [MACHINE2] for user [user1] from
    workstation [CLIENT]
    check_ntlm_password:  Checking password for unmapped user
    [CLIENT]\[user1]@[CLIENT] with the new password interface
    check_ntlm_password:  mapped user is: [MACHINE2]\[user1]@[CLIENT]
    check_sam_security: Couldn't find user 'user1' in passdb.
    check_ntlm_password: sam authentication for user [user1] FAILED
    with error NT_STATUS_NO_SUCH_USER

However they can access machine2 resources by doing:


Looking at the make_user_info_map 3.3.9 code in auth_util.c we see:

  if ( *client_domain )
    domain = client_domain;
    domain = lp_workgroup();

In the 3.5.15 code we:

  domain = client_domain;

The enclosed patch restores the old behaviour when using domain security.

-- John Wehle
--- source3/auth/auth_util.c.ORIGINAL	2012-04-27 15:10:36.000000000 -0400
+++ source3/auth/auth_util.c	2012-05-04 17:44:53.653291396 -0400
@@ -210,7 +210,10 @@ NTSTATUS make_user_info_map(auth_usersup
 	DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
 		 client_domain, smb_name, wksta_name));
-	domain = client_domain;
+	if (lp_security() != SEC_DOMAIN)
+		domain = client_domain;
+	else
+		domain = lp_workgroup();
 	/* If you connect to a Windows domain member using a bogus domain name,
 	 * the Windows box will map the BOGUS\user to SAMNAME\user.  Thus, if
|   Feith Systems  |   Voice: 1-215-646-8000  |  Email: john at  |
|    John Wehle    |     Fax: 1-215-540-5495  |                         |

More information about the samba-technical mailing list